As cyberattacks rise, so do new ways of evaluating risk

One of today’s most dramatic developments in business is the broad range of devices and mechanisms that are computerized and connected to networks on the Web. Everything from watches to appliances to jet engines and factory equipment, the proliferation of the Internet of Things (IoT) has made companies – and the people who run them – smarter and more efficient. 

However, the risks to businesses integrating IoT and other technologies are evolving, and therefore, not yet fully understood. As organizations consider accelerating investments into digital tools, Lex Baugh, AIG’s Global Chief Underwriting Officer for its Casualty and Financial Lines within General Insurance, says he expects that insurers will increasingly rely more on new and innovative ways to evaluate and manage cyber risk.

This comes as cybersecurity awareness is more critical than ever given the prevalence of ransomware attacks. In June, the White House issued new warnings about the marked rise of ransomware incidents, urging U.S. business leaders to take urgent security measures as hackers step up efforts to infiltrate and disrupt companies’ core operations. 

“We have made meaningful advances in cyber risk awareness, but many companies are still catching up,” Lex said recently on a virtual panel at the 2021 International Insurance Society Global Insurance Forum. 

“Digital assets are frequently being neglected until something happens. We’re seeing more disruptive and expensive business interruptions as clients’ activities become more integrated and more connected.”

To illustrate his point, Lex considered a hypothetical scenario at an ammonium nitrate plant. Imagine a team of engineers spending the bulk of their workday adjusting the temperatures and pressures at the plant to maximize output, but then senior leaders adopt an integrated system across dozens of plants globally because it performs the job far more efficiently. Doing so requires less manual maintenance and system-wide downtime. Plus, the system reduces human error, and therefore, generally enhances safety.

While these are indeed benefits, Lex added, interconnected systems and devices can leave companies vulnerable to hackers trying to gain control of networks. As a result, this changes the risk profile.

“Whenever you hear about a process or a technology being a smart technology, think about how it’s connecting in a way without human intervention. So, the firebreaks that we have historically seen are no longer there.”

A new and emerging risk landscape

A few other factors are complicating how insurers evaluate and underwrite cyber risks.

First, Lex explains, the impacts of COVID-19 on consumers and households have led many companies to reassess their business models and rush investments into intellectual property and new technologies without the traditional security checks and balances that the insurance industry has historically seen. 

Second, the value of today’s biggest companies listed on the S&P500 are increasingly influenced by intangible assets, including data, intellectual property, copyrights and software. From a cyber risk perspective, this trend is worth watching since hackers are likely to target such intangibles.

Third, cyber risks will increasingly impact virtually every industry. This means underwriters specializing across a broad range of areas will need more accessible ways to assess a company’s cyber exposure.

“There’s no aspect of insurable risk where cyber isn’t playing a factor,” Lex said. “Whether we’re talking about a marine underwriter or healthcare underwriter or general liability underwriter, they’ll need more sophisticated methods to assess the risks because they’re likely not going to be cyber experts fast enough.”

Demand grows for innovative risk solutions

Looking ahead, Lex expects that AIG and underwriters will rely more on externally acquired data that provide insights into cybersecurity practices and potential vulnerabilities to help expedite understanding of an organization’s security program.

As it stands, AIG uses a priority method for measuring and analyzing cyber risk. AIG extracts knowledge and insights from numerous datasets and client-specific answers. Clients receive detailed scoring, analysis, and benchmarking to help them better understand their cyber maturity.

In addition, AIG has developed a ransomware supplemental questionnaire to help underwriters determine if a company has proper controls in place to help detect and thwart ransomware attacks. AIG will also work with companies to improve their risk profile.

To be sure, solutions will likely vary depending where a client or customer is based or otherwise subject to geographical privacy and data protection legislation. This is because the public’s attitudes around privacy, data protection and legislation protecting the same varies widely by country. For example, while 66% of countries have data protection and privacy legislation, 19% of countries have no legislation, according to the United Nations Conference on Trade and Development.

“So, it’s not necessarily a one-size-fits all solution for how we solve these issues,” Lex said. “Clients will need to have strong knowledge of existing privacy, data protection and cybersecurity legislations at the industry-specific levels and at the national and international levels to manage cyber risks.”

Bottom line

The unintentional actions or lack of actions taken by organizations to address these agile cyber risks can create inadvertent consequences. Evaluating and managing these risks calls for new tools and approaches that aim to keep step with cyber criminals and that underwriters specializing across different lines of insurance can use to assess cyber risks at play.